1. Field of the Invention
The present invention relates to an encryption processing apparatus applied illustratively to IC cards. More particularly, the invention relates to an encryption processing apparatus which, operating at a small current, enhances resistance to power analysis known as attacks constituting cryptanalysis processing.
2. Description of the Related Art
FIG. 1 schematically shows a typical structure of an IC card having general encryption capabilities. As shown in FIG. 1, the IC card 1 is made up of an antenna 2 and an IC chip (LSI) 3. The IC chip 3 includes a rectification circuit 4, a smoothing capacitor 5, a voltage stabilization circuit 6, a CPU 7, a memory 8, an encryption circuit 9, peripheral circuits 10, and an RF interface (I/F) 11. The CPU 7, memory 8, encryption circuit 9, peripheral circuits 10, and RF interface 11 exchange data therebetween via a signal bus 12.
As shown in FIG. 1, when brought close to a reader, the IC card 1 with its encryption capabilities detects a feeble magnetic field from the reader, acquires a necessary signal, and gets the antenna 2 to convert the magnetic field into power to operate the IC for desired processing.
In a system of the above-outlined structure, data is encrypted when exchanged between the IC card 1 and a host computer. In addition to the CPU 7 and memory 8, the IC chip 3 has the encryption circuit 9 that decrypts the received signal to obtain relevant information for necessary processing. The obtained information is encrypted and sent to the host computer.
The most commonly utilized encryption method today is DES (Data Encryption Standard). According to DES, the same key is possessed by both the owner of the IC card and the host computer. The data transmitting side encrypts data using the key before sending the encrypted data. The data receiving side decrypts the received data using the same key to retrieve a message. A malicious third party may attempt to eavesdrop on such communication but, without the key, should have difficulty decrypting the encrypted message.
FIG. 2 schematically shows a common structure of a DES operation circuit 20 as a typical decryption circuit. As shown in FIG. 2, the DES operation circuit 20 includes an initial permutation (IP) device 21, switches 22L and 22R, a left (L) register 23, and a right (R) register 24. The DES operation circuit 20 further includes an F-function device 25, an EXOR operation device 26, an inverse permutation (IP−1) device 27, and an encrypted text output device (Crypto) 28.
As shown in FIG. 2, the F-function device 25 has a plurality (8 in FIG. 2) of S-boxes S0 through S7 for executing nonlinear processing. An input value F-in from the upstream stage (i.e., R(n−1)) is expanded to 48 bits by an expansion device (EX) 25-1 before being subjected to the EXOR operations performed by an EXOR operation device 25-2 using a key (48 bits) Kn from a key scheduling device. The output of the EXOR operation device 25-2 is input to the plurality of S-boxes S0 through S7 carrying out nonlinear conversion processes in six bits each. Each of the S-boxes S0 through S7 performs a nonlinear conversion process from six to four bits using a conversion table.
The output bits from the S-boxes S0 through S7 (4×8=32 bits) are input to a permutation device (P) 25-3 for bit position permutation to generate and output an F-function output of 32 bits.
Inside the DES operation circuit 20 are an operation circuit commensurate with a round operation and a register arrangement equivalent to the data width in effect. The circuit is operated a predetermined number of times to perform encryption processing.
When rounds are switched, the register values are updated. The updating of the registers is accompanied by charging and discharging of the signal wires connected to the registers as well as by arithmetic operations of the operation circuit.
During the arithmetic operations, the most arduous of the charging and discharging currents on the signal wires occur when the signal wires are brought from all 0's to all 1's. A power supply device retrieving power from the antenna needs to supply power with a sufficient margin.
P. Kocher and others report on an attack known as DPA (differential power analysis) whereby the currents consumed by an encryption circuit are statistically analyzed in order to extract a key. The environment necessary for this attack can be mounted at low cost and the key can be extracted in a short time. It is imperative for secure IC's to provide against this type of attack.
The DPA attack involves extracting the key by statistically analyzing feeble operation currents related to the key during the output being made by the S-boxes carrying out nonlinear processes as well as during charging and discharging of the load wires for the registers while their intermediate values are being updated. The following two methods have been proposed to counter the attack:
First, a complementary structure is adopted so that any leak current can be minimized by complementary operations. Second, data is randomized to perturb leak currents whereby statistical analysis is made difficult.
An example of the first method above for countering DPA attacks is the technique disclosed illustratively in Japanese Patent Laid-open No. 2004-347975. The disclosed technique involves developing one-bit data into two-bit values of equal Hamming weights. Two phases composed of an evaluation phase and a pre-charge phase are provided in view of data transitions brought about by arithmetic operations. Control is exercised in such a manner that data is brought to a state that is neither “0” nor “1” before being arithmetically operated on. This makes it difficult to detect changing currents stemming from the transitions of the computed values.
More specifically, a data item of, say, “0” is regarded as “01” and a data item “1” as “10” as they are submitted to encryption operations. When the data items are to be changed by a round operation, they are first brought to “00” before being shifted to computed data.
Suppose now that the transitions are expressed as follows:
transition “0”->“0”: “01”->“00”->“01”;
transition “0”->“1”: “01”->“00”->“10”;
transition “1”->“0”: “10”->“00”->“01”;
transition “1”->“1”: “10”->“00”->“10.”
In such a case, all transitions of the bits based on arithmetic operations are changed only in one bit regardless of the computed results. This makes it difficult to extract a key from the changing currents.
An example of the second method above for countering DPA attacks is the technique disclosed illustratively in U.S. Pat. No. 6,295,606. This technique involves disturb outputs from S-boxes using random numbers in order to disturb feeble currents from circuit operations reflecting the key in use, thereby making statistical analysis of the consumed currents difficult.